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(57) Abstract 



The auftentication system comprises at least one station (102) and a host (104). The statiOT (102) comprises a memoiy (118) for 
electronically storing a plurality of authentication items. Constructing means (120) arc used to constract an authentication control element, 
such as a key. from a part of the auflienticatian items which is selected for ea«± message. Auflientication means (116) auttienticate the 
message substantially uniquely under control of ttie au*entication control element constructed for the message. The auftenticated message 
is sent to the host The host comprises a memory (122) for electronically storing flie; authentication items of the station. Hje host comprises 
constructing means (126) for constructing for each received authaiticated message an auflienticatian control element m tiie same way as the 
station. Verification means (124) arc used for, under control of flie auflientication control element, verifying flie auflioiticity of flie received 



message. 



FOR THE PURPOSES OF INFORMATION ONLY 



Codes used to identify States party to the PCT on the firont pages of pamphlets publishing international fq>plications under ^e PCT. 



AL 


Albania 


ES 


Spain 


LS 


Lesoilio ' 


SI 


Slovenia 


AM 


Anncni& 


FI 


Rntend 


LT 


X rffh* * ia 


SK 


Slovaiki& 


AT 


Austria 


FR 


France 


LU 


Luxembourg 


SN 


Senegal 


AU 


Australia 


GA 


Gabon 


LV 


Latvia 


sz 


Swaziland 


AZ 


Axerbaijan 


GB 


United Kingdom 


MC 


Monaco 


TO 


Chad 


BA 


Bosnia and Herzegovina 


GE 


Georgia 


MD 


Republic of Moldova 


TG 


Togo 


BB 


Barbados 


GH 


Ghana 


MG 


Madagascar 


TJ 


Ti^pldstas 


BE 


Bclghun 


GN 


Guinea 


MK 


The fonaer Yugoslav 


TM 




BF 


Bmldni Faso 


GR 


Ofocoe 




Republic of Macedonia 


TR 


Turkey 


BG 


Bulgaria 


HU 


Hortgaiy 


ML 


MaU 


TT 


'Hinidad and Tobago 


BJ 


Benin 


IE 


Ireland 


MN 


Moqgolia 


UA 


Ulsssne 


BR 


Brazil 


IL 


Israel 


MR 


^^sflxitania 


UG 


Uganda 


BY 


Belarus 


IS 




MW 


Malawi 


US 


United States of America 


CA 


Canada 


IT 


baly 


MX 


Mexico 


uz 


Uzbekistan 


CF 


Central African Republic 


JP 




NE 


Niger 


VN 


Viet Nam 


CG 


Congo 


KE 


Kenya 


NL 


Netheriands 


YU 


Yugoslavia 


CH 


Switzerland 


KG 


Kyrgyzsttn ' 


NO 


Norway 


2W 


Zimbabwe 


a 


Cdce d*Ivoirc 


KP 


X>emocntic Peopte't 


NZ 


New Zealand 






CM 


Cantcroon 




Repoblic of Korea 


PL 


Poland 






CN 


China 


KR 


Rqmblic of Korea 


PT 


Portugal 






CU 


Cuba 


KZ 


ICaz&kstan 


RO 


Romania 






cz 


Czedi Republic 


LC 


^ttit Unja 


RU 


Russian Federation 






DE 


Gennany 


U 


^j^^htf-TTTTftm 


SD 


Sudan 






DK 


Denmark 


nc 


Sri Lanka 


SB 


Sweden 






EE 


Eitonia 


LR 


Ubeiia 


SG 


Sng^xne 







WO98/55930 



PCTAB98/00578 



Authentication system. 



The invention relates to an authentication system comprising at least one 
station and a host; the station comprising: authentication means for, based upon an 
authentication algorithm, authenticating a message; and communication means for sending the 
authenticated message to the host; the host comprising: communication means for receiving 
5 an authenticated message; and verification means for verifying the authenticity of the 
recdved message by checking the recdved message with an authentication algorithm 
corresponding to a station which sent the message. 

10 With the increase of electronic communication and electronic financial 

transactions, identification and authratication has become an essmtial aspect of many 
systems. Normally in an authenticated transaction three parties are involved: a host, a station 
and a user of the station. The host may, for sample, be a central computer at a bank, at a 
retailer, or at a company providing services via Internet, or be a file server. The station may 

15 be a personal computer (PC), a Personal Digital Assistant (PDA) or a hand-held PC (HPC), 
usually coimected or connectable via telecommunications to the host computer. The message 
may be a digital representation of a user generated message, including an instruction to a 
bank, but may also be computer data or computer code, such as a Java applet In many 
£^lications, the station is split into two parts: a user station and an access station. 

20 An identification, sudti as a communication address, which uniquely 

identifies the station is stored in the memory of the station. A message generated in the 
station, usually at the request of the user, is authenticated using an authentication algorithm. 
Typically, the message is authenticated by graerating an additional digital signature. The 
authenticated message is sent to the host together with the identification of the station. The 

25 host uses the same or a complemratary authentication algorithm to verify the authenticity of 
the message. 

For certain applications, like a user instructing a bank to transfer money 
from a bank account, it may be required that the station performs some form of access 
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control ensuring that only an authorised user can issue the instruction. The access control 
may, for instance, be based on a PIN-code or password. Also more advanced methods, for 
instance based on biometrical information, may be used. The access information may be 
passed on to the host as i>art of the message. For other applications, like a transfer of a small 

5 amount of electronic money, it may not be required or, in view of privacy or safety, even be 
undesired that additional access control is performed or that the access information is 
transferred to the hosL The access control is not part of the invention. 

Most auAentication algorithms ate based on racryption algorithms, such 
as the synunetrical DES algorithm or the asymmetrical public-key RSA algorithm. Typically, 

10 the same algorithm is used for each station and a dedicated key is used to make the algorithm 
act in a maimer spedfic for the station. The security provided by such algorithms is mainly 
based in the algorithmic strength of the involved algorithms, which are, as a consequence, 
complicated and costly to implement, which is a particular drawback for simple consumer 
electronic products. 

IS It is an object of the invention to provide an authentication system of the 

kind set forth, which is simple to develc^. It is a further object to provide such a system 
which can be cost-effectivdy implemented in consumer electronic products. It is a further 
object to provide such an authentication system which offers a high level of security. 

20 To achieve this object, the authentication system according to the 

invention is characterised in that the station comprises a memory for electronically storing a 
plurality of authentication items; the host comprises a memory for electronically storing the 
authentication items of the station in association with an identification of the station; 

the station comprises constructing means for constructing for each message a 

25 corresponding authentication control element; the constructing means being operable to select 
for the message a part of the plurality of authentication items and to construct the 
authentication control element from the selected part, where the authentication control 
element in practical circumstances causes the authentication algorithm to substantially 
authenticate the corresponding message uniquely; and 

30 the host comprises constructing means for constructing for each received 

authenticated message an authentication control element from the authentication items 
associated with a station which sent the message; the construction being the same as 
performed by the associated station. 

The system according to the invention is based on the insight that the 
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simple maxiner in which parents and children identify each other v/hen they are not in direct 
contact, such as in the case of a kidnapping, can form the basis of an automatic 
authentication system. If for instance a child is kidmqiped, the parents want to be sure that 
the kidnappers indeed hold the child and that, for instance, a ransom demand genuinely 

5 relates to thdr child. At the moment when identification of, for instance, the child is 

required, the child informs the kidn^>pers of a few even:s from a large set of evacits known 
to the child and parrats and unknown to others (or at least to the Iddn^ypers). For eadi 
communication vnth the kidnappers, the parents may request that the child recalls other 
events. This ensures that die kidnappers have to teep the child alive. It also ensures that no 

10 fraudulent kidnappers, who in one way or another intercepted a set of identifying events, can 
re-use this set for authenticating a fraudulent demand. 

Based on this insight, the host (parrat) and the station (child) share a large 
set of authentication items. For each message which needs to be authenticated, a small sub- 
set from the authentication it^s is selected and used to form an authentication control 

IS element which controls an authentication algorithm. In practical circumstances the 

authentication algoriftm authraticates with a high likelihood the corresponding message 
uniquely under control of the authentication control element. A main strength of the system 
according to the invention lies in unpredictably authenticating messages by selecting a subset 
of authentication items from a relatively large set, where for each next message other items 

20 may be selected. This allows the use of a simple authentication algorithm, where the 
emphasis is not on the algorithmic strength of the algorithm, such as the difficulty of 
predicting for a message the corresponding authenticated message, but on using the algorithm 
in an unpredictable manner. A corrdation which might occur in the authentications generated 
for successive messages can be broken by using an authentication control element, which is 

25 not related to the authentication algorithm. The authentication items, which determine the 
authentication control elemrat can be generated in advance using sophisticated means, such 
as real random sequence generators, if desired. For a fraudulent party to be able to break the 
system, the fraudulent party needs not only to intercept sufficient messages to be able to 
break the authentication algorithm but also to determine the entire set of authentication items. 

30 The size of the set of authentication items and the size of the subset used to generate an 
authentication control element can be chosen to optimally suit the application in which the 
system is used. As an example, for a not very demanding application, a set of authentication 
items formed by a couple of hundred random bytes may be used, where the authentication 
algorithm may be based on a substitution, using a substitution table. Some or all elements of 
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the substitution table which have been used during the substitution are replaced by new 
elements derived from the random bytes. These new elements.form the authentication control 
element. The new elements may, for instance, be selected using a (pseudo-)random number 
gfflerator. For more demanding applications, more authentication items may be used. If 
desired, also tiie complexity of the involved algorithm may be increased, for instance by 
basing the authentication algorism on algorithmically strong encryption algorillims, such as 
DES, where the authentication control element forms a key for DES. For s^lications which 
require a high level of security, the authentication items and the algorithms are preferably 
stored in, respectively, executed in a secure module, such as a tamper-proof IC. 

It should be noted that the Dutch Giro (Postbank) uses the TAN 
(Transaction Number) system for electronic payments by ciistomers using a PC and a 
modem. Hie customers of the Postbank receive via regular mail several transaction numbers 
printed on a piece of paper. For each transaction the client has to enter a next transaction 
number until all mmibers have been used, at which moment the client receives a new set of 
numbers. A fraudulent party has, in general, easy access to the transaction numbers at the 
customers premises. Fiuthermore, the distribution of the transaction numbers from the host 
to the customer makes the system vuln^able for fraudulent parties intercqiting the list. 

For simple systems, for instance used to check the authenticity of an entry 
ticket to a sporting event or concert, it may be sufficirat to differentiate between authentic 
and non-authentic stations. The station, such as an electronic ticket, may be re-used for 
authenticating a smes of events by using an event-specific message. For a more demanding 
system, such as involving financial transactions, a message is advantageously authenticated in 
a mann^ unique for the station. 

The measure as defined in the dependent claim 2 has the advantage that 
the uniqueness of the station identification is used for authenticating a message in a manner 
unique for the station. The station identification, which is used to distinguish the station 
amongst the other stations of the system with respect to the host, may, for instance, be a 
communication address or an account number. 

The measure as defined in the dependent claim 3 has the advantage that a 
fraudulent party needs to intercept messages for each station in order to determine the 
authentication items specific for the station, making the task of the fiaudulrat party more 
complicated. 

The measure as defined in the dependent claim 4 has the advantage that 
the set of shared information (the authentication item) is updated as the station and the host 
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experience more shared events, like authenticating a message. In this way a fraudulent party 
not only has to determine the set of authentication items but also how the items are modified 
over time. 

In a furtiier embodimrat of the system according to the invention, the 
S system is characterised in that the modification means is operative to modify an 

authentication item at least partly based on an event indq>mdent of the authentication items. 
In this way it becomes even more important for a fraudulent party to intercept and record all 
messages in order to be able to determine the authentication items. In a simple form the 
modification may be (partly) based on the previously authenticated message(s). This has the 
10 advantage that the message is already transferred to the host allowing the host to perform the 
same modification. In some systems the content of the message may be too predictable to 
significantly increase the task of a fraudulent party in breaking the authentication. In such 
systems more unpredictable events, such as the time at which the last message was 
authraticated, may be used. To allow the host to perform the same modification, the event 
IS has to be informed to the host, for instance, in the form of a time-st2Lmp. Preferably, the 
modification is at least partly based a random or pseudo-random event. Advantageously, the 
least-significant bits of a clock are used, giving for most systems a sufficiently random event, 
particularly if messages are authmticated individually and not processed in a sequential 
batch. 

20 The measure as defined in the depmdent claim 6 has the advantage that it 

becomes more difficult for a fraudulent party to collect messages relating to the same station. 
The identification may, for instance, be a conventional communication idcfntificatipn, such as 
a communication address or a telephone number. Instead of in addition to such a 
communication identification, the station identification may also be based on an 

25 identification, such as an indication of an account number, which is chosen independent of 
the communication identification. For such a combined identification only part of the 
identification, e.g. only the account number, may be modified, whereas the other part 
remains fixed. Preferably, the host locates information, such as the authentication items, used 
for verifying the authentication at least partially based on the variable part of the 

30 identification. As an example, the host may locate the relevant information for verifying a 
message in dependence on a bank account number. Instead of using the real bank account 
number as the identification (and exchanging the real bank account number), a virtual bank 
account number is used. The station and the host are initially loaded with the same virtual 
account number. The host also knows how to associate (map) the virtual number with the 
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real bank acxx>unt number. Usually, the station also knows the real bank account number for 
local operations, such as display to the user, and preferably hides the virtual number from 
the user* The virtual number is exchanged and not the real number. Only in exceptional 
cases, e.g. when the synchronisation in updating the virtual number is lost between the host 

S and the station, it may be required to re-synchronise to a new virtual number using the real 
number for once as an identification. Both the station and the host can alter the virtual 
number in the same way, keeping the real underlying bank account number fixed Q.e. only 
the mapping between a variable virtual number and a fixed real number is changed). In such 
a scenario, the virtual numbn acts as the identification according to the invention. 

10 Particularly, for mobile stations, such as a PDA or a smart-card, with no fixed 

communication link to the host, it becomes practically impossible for a fraudulent party to 
collect messages related to a specific station or a specific application within the station, such 
as an sqiplication for financial tiansfers/informadon retrieval, downloading of software or 
playing of a network game, where each application uses an application-spedfic authratication 

IS algorithm or set of authentication items. This allows the use of less authentication items or a 
simpler authentication algorithm. It further allows to detect fraudulent messages in an early 
stage. As an example, in a system where no more than 65,000 stations need to distinguished 
implying that in principle a two-byte identification would be sufficient) a larger 
identification of, for instance, four of six bytes may be used, where the identification is 

20 chosen dynamically. If a four-byte identification is used, the host can identify almost all 

received fraudulrat messages as being fraudulent simply by checking the identification. Only 
for in average 1 out of 65,000 fraudulent messages the authentication of the message (which 
typically involves more processing) needs to be checked. This makes the system suitable for 
use in mvironments, such as Internet, where brute-force attacks by generating many different 

25 fraudulent messages may occur. Preferably, the response time of the host is similar 

regardless of the station identification being valid or not, ensuring that fraudulent parties can 
not distinguish between valid and invalid station identifications. Advantageously, the 
alteration means alters the station identification at least partiy based on a message and/or a 
time-stamp. In this way it becomes even more important for a fraudulent party to intercept 

30 and record all messages in order to be able to determine the current station identification. 

The measure as defined in the dependent claim 7 has the advantage that in 
a simple way it can be ensured that messages, even the same messages, are with a high 
likelihood authenticated differentiy. Furthermore, it limits the possibilities of a fraudulent 
party, including the legitimate owner or designer of the station, to generate known messages 
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and from the corresponding authenticated message derive the authentication items of the 
station. 

The measure as defined in the dependent claim 8 has the advantage that 
the host independently generates the same additional data, providing a further check of the 
S authenticity of the message* 

Tlie measure as defined in the dependent claim 9 has the advantage that 
by incorporating the additional data into the message, for instance by mixing the additional 
data with the message, and authmticating the resulting message, the host only needs to verify 
the resulting message as before and can then discard the additional data, without being able 
10 to gmerate the additional data. Advantageously, each station generates the additional data in 
a manner unique for the station. 

The measure as defined in the dependent claim 10 has the advantage that 
by using a state variable, such as a ifeedback state for a random number generator, the 
construction means can autonomously select different parts of the authentication items for a 
IS large sequrace of messages. Preferably any periodicity in the selection is sufficiratly large in 
view of the application. By ensuring that the selection also depmds on the authentication 
items (for instance on a subset of the authmtication items), which have been generated 
indq>endent of the construcdon means, a correlation which might occur in successive 
selections can be reduced. As an example, the control vector could be one authentication 
20 item which is XOR-ed over the basic ou^ut, such as a random number, of the construction 
means. The control vector itself may be each time randomly selected from the set of 
authentication items. 

These and other aspects of the invention will be apparent from and 
elucidated with reference to the embodiments shown in the drawings. 
25 . 

Fig. 1 shows a block diagram of a system according to the invention, 
Fig 2 shows a flow-chart of a possible operation in the station 102, and 
Fig. 3 shows a flow diagram of a basic operation which can be used in 

steps of Fig. 2. 

30 

Fig. 1 shows a block diagram of a system according to the invention. The 
authentication system comprises a host 100 and at least one station. As an example two 
stations 102 and 104 are shown. Further details of the stations will be given with reference to . 
station 102 only. Typically, the host 100 is implemrated on a computer suitable for acting as 
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a server. The station may be implemented on, for instance, a Personal Computer (PC), a 
Personal Digital Assistant (PDA) or a hand-held PC (HPC). In an exemplary application, a 
user instructs a bank to perform a financial transaction. The user enters the instruction in his 
station. The station generates a corresponding message, authmticates the message and 
transfers the message to the host compute at the bank. The host checks the authentication 
and, if valid, proceeds with processing the instruction. The authentication serves various 
well-known purposes, such as reducing the chance of a third party, pretending to be another 
party, transmitting a message on behalf of the other party (the third party may have 
generated the fraudulent message or may be a re-transmitting an intercepted message which 
has been validly transmitted by the original party) and reducing the chance of the original 
party repudiating the message. The system may also be used for various other forms of 
electronic communication, such as for authenticating electronic mail, the exchange of 
electronic documrats (such as an HTML docummt) or program modules (such as Java 
applets), or the communication between software objects located in different computers. If 
the receiving party can trust the sending party, the authentication ensures that the receiving 
party can safely use the received digital data, without having any risk of, for instance, having 
received virus-infected data or data which may adversely effect the local station (e.g. by 
discarding locally stored data). Particularly in situations where stations do not share prior 
knowledge and wish to safely communicate, the communication preferably takes place via a 
trusted party. With respect to the sending station the trusted party acts like a host according 
to die invention and the sending station acts like a station according to the invention. With 
respect to the receiving station the trusted party acts like a station according to the invention 
and the receiving station acts like a host according to the invmtion. The trusted party relays 
a message recdved from a sending station to a receiving station if the trusted party has 
successfully verified the authraticity of the recdved message, using a verification procedure 
matching the authentication procedure of the sending station. The trusted party authenticates 
the recdved message, using a procedure agreed with the receiving station, before 
transmitting the message to the receiving station. 

It will be understood that, particularly for mobile applications, the station 
102 may be split into, for instance, a user station and an access station. The access station 
establishes the communication with the host 100 and may, for instance, be fixedly located in 
a shop, a petrol station or integrated with an automatic teller machine of a bank. The access 
station may also be located at the premises of the user and, for instance, be integrated with a 
personal computer or audio/video set-top box. The user station ensures a station-specific 
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authentication. The user station may, for instance, be formed by a PDA communicating via 
IrDA to anoth^ PDA or personal computer acting as an access station. As another example, 
the user station may be formed by a smart-card, where the access station includes a smart- 
card reader. 

5 The station 102 and tiie host computer 100 can commtmicate digitally. To 

this end, the station comprises communication means 110 for digitally communicating with 
the host 100. Similarly, the host 100 comprises communication means 112 for digital 
communication with the station. UsuaUy, the communication will take place using 
telecommtmication, ^ther wired or wireless. The communication means 110 and 112 may be 

10 formed by a conventional modem, opiated under control of the processor of the station or, 
respectively, the host. The communication may also be based on local communication, such 
as a Local Area Network (LAN), infra-red communication or local RF communication, such 
as for instance used in walkie-talkies. Conventional hardware/software, such as a LAN 
interface and driver software, may be used for implementing locally operating 

IS communication means 110 and 112. 

Using the communication fadlities, digital data can be exc^ianged between 
the station and the host. Typically, the exchange is bi-directional. In certain simple systems, 
it may be sufficient if communication is only possible from the station to the host. The 
station 102 comprises a memory 114 for electronically storing a stadon identification, which 

20 uniquely identifies the station to the host. The identification may take several forms. For 
instance the identification may be an identification at communication level, such as a 
communication address or a telephone number. The identification may also take the form of 
an account number, which may also be used in combination with a communication 
identification. For each communication session, the identification of the station 102 is 

25 transfOTcd to the host 100, allowing the host 100 to correlate data exchanged during the 

session to the identified station 102. It will be appreciated that in certain circumstances, such 
as where the station is fixedly connected to the host, the identification may be implicit (e.g. 
which port the station is connected to). 

The station 102 comprises authentication means 116 for authenticating a 

30 message. As described above, the message may, for instance, be a digital representation of a 
user generated message, including an instruction to a bank, but may also be computer data or 
computer code, such as a Java applet, or messages generated by computers (e.g. for playing 
a multi-user game on several computers). The authentication is based upon an authentication 
algorithm. In principle the authentication algorithm may be chosen to suit the security 
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requirements of the s^lication. Many techniques for authenticating a message are known. 
One way is to use a symmetrical encryption algorithm like DES, where the station and the 
host share the same private key. The station encrypts the message using the key and 
transmits the encrypted message to the host, along with the station identification. The host 
5 uses the station identification to retrieve the key corresponding to the station and uses this 
key to decrypt the message. Various schemes, such as encryption feedback, message counters 
or time-stamps, may be used to ensure that the same message is authenticated differently, 
eliminating the possibility of intercepting and re-transmitting the same message, which then 
would be accepted again as a valid message by tiie host In situations where it is preferred 
10 that the entire message (or part of it) is readable, the message may be transmitted in addition 
to the encrypted message. In such a case, the host can also vexify the authenticity of the 
recdved data by encrypting the recdved plain message and comparing it to the received 
encrypted message. To reduce the length of the data to be transmitted, the authentication part 
may also be smaller. It is well-known that this can be adiieved by using a one-way hash 
IS function and enoypting the resulting hash value. The algorithm itself may simple and based 
on basic techniques, lite confusion and diffusion. Using a confusion technique, such as 
substitution, the rdationship between the plain text and the cipher text is obscured. For high 
security applications, it may be preferred to use a substitution scheme which operates on 
blocks of more than one letter. Using a diffusion technique, such as a transposition (also < 
20 called permutation), the redundancy of the plain text is spread out over the cipher text. It is 
preferred that linear operations are used in combination with at least one non-linear 
operation. Whatever authentication algorithm is used, for the system according to the 
invention it is assumed that the algorithm is used under control of a so-called authentication 
control element. For an authentication algorithm using DES, this could be the private key. 
25 For an authentication algorithm based on substitution this may be (part of) a substitution 
table. For an authentication algorithm based on a permutation this may be (part of) a 
permutation matrix. In general, using a different authentication control element will with a 
high likelihood cause the authentication algorithm to authenticate a same message differently. 
For most algorithms it will hold that if the same authentication control element is used, the 
30 same messages will be authenticated in the same way. However, some authentication 
algorithms may have measures, such as an internal feedback, ensuring that this is not the 
case. For such algorithms, the authentication control element can, for instance, play the role 
of an initial seed, where the algorithm is (at least partly) reset each time a new authentication 
control element is provided, or the authentication control element may act as a supplementary 
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contzx)! vector, which is, for instance, combined with the internal state variable or to the 
ou^ut of the algorithm. The combination may, for instance, take the form of an XOR 
operation or an operation in GF(2^) for byte-oriented algorithms. Depending on the 
algorithm, the authentication control element may be regarded as data or more as an 
operation. 

According to the invention, iht station 102 electronically stores a plurality 
of authentication items in a memory 1 18. It will be s^ypreciated that the memories 114 and 
118 may be combined. The station fixrther comprises constructing means 120 for constructing 
the authentication control elemmt. The construcdon means 120 dmves the authentication 
control element from a small part of the entire set of authentication items. This may be done 
in various ways, like randomly selecting some items or some bits of some items and using 
the selected parts directiy or after a mixmg operation as the authentication control element. 
For each message a corresponding authentication control element is constructed. The 
authentication items are independent of the authentication algorithm, and as a consequence 
also the authentication control dement is indepradent of the authentication algorithm. In this 
way any correlation which might occur when the authentication algorithm were to be used 
for authenticating a sequrace of messages under control of the same authentication control 
element is broken by the unrelated authentication control element. It will be understood that 
the size of a small part with respect to the entire set of authentication items has to be 
determined in view of the requirements of the application in which the system is used and in 
view of further improvements as described below for further embodiments. In systems where 
the set of authentication items is highly static, a small part may correspond to a few percent 
or less of the entire set. In a system where the set is highly dynamic (i.e. regularly updated), 
a small part may be over 50% of the current set of authentication items, where the selected 
part is small compared to the superset of authentication items formed by the current 
authentication items and future changed authentication items. Such a higher percentage can 
particularly be used if the influence of an update of authentication items is spread over 
substantially all authentication items of an involved set of authentication items. Preferably, 
the authentication items have been generated randomly or selected randomly from a very 
large set of suitable authentication items. For instance, for a system used for financial 
transactions the authentication items may be generated in a secure manner using a high 
quality (real-)random sequence generator located at secure premises of a bank. The 
authentication items are loaded into the memory 118 of the station 102. The host 100 
electronically stores a copy of the authentication items of the station in a memory 122. It will 
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be appreciated that, dq>ending on the authentication algorithm, the authentication item may 
be a data element, such as a bit or a byte, or an operation, such as a byte-wise XOR or a 
GF(2®) multiplication. 

The authentication control element in practical circumstances causes the 

S authentication algorithm with a high likelihood to authenticate the corresponding message 
uniquely. For high demanding systems, preferably each authentication control element is 
derived from at least one authentication item which has not been used before. Such a new 
authentication item may be combined with (e.g. mixed in with) authentication items which 
have been used before. In less demanding systems, a same selection of authentication items 

10 may be used a number of times for constructing an authentication control element. The 

construction means 120 should be such that even then the authentication control elemmts are 
different. 

The host 100 comprises verification means 124 for verifying the 
authenticity of the received message. The verification means 124 checks the received 

15 message with an authentication algorithm which corresponds to the algorithm used by the 
station which send the message. The algorithm may be the same for all stations. If more than 
one algorithm is used, the host can locate the algorithm based on the received station 
identification. To this end, the station identification may be stored in a memory 128 of the 
host. It will be appreciated that the host may perform the verification by using the same 

20 authentication algorithm as used by the station to generate an authentication from the message 
and checks whether this matches the received authentication. For certain algorithms, the host 
may need to use an inverse algorithm of the algorithm used by the station. The host 100 
comprises constructing means 126 for constructing for each received authenticated message 
an authentication control element from the authentication items for the identified station in a 

25 same manner as the station identified for the message. 

In a further embodiment, the authentication sdgorithm authenticates each 
mesisage in a manner unique for the station. This may be achieved by making the message 
authentication dq^endent on the station identification, which is unique for the station. Such a 
dependency may be obtained by deriving a key of the authentication algorithm or the 

30 authentication control element (partly) from the station identification. 

Preferably, the authentication is made unique for the station by using 
authentication items which are unique for the station. The host 100 associates the copy of the 
authentication items of the station with the station, for instance, by combining the memories 
122 and 128 and storing the station identification together with the authentication items. The 
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construction means 126 of the host uses the received station identification to locate a 
matching station identification in memory 128 and via the matching identification locate the 
authentication items in memory 122 corresponding to the station. 

In a further embodiment, the station 102 comprises modification means 

S 130 for modifying at least one of the authentication items after the authenticating means has 
authenticated a message. The host comprises modification means 132 for modifying at least 
one of the authentication items for the station in the same way as the modification means 130 
of the station. Preferably, the station 102 effectuates the modification after the station has 
received a confirmation from the host 100 that the host has successfully received the message 

10 and verified the authentication of the message. It is preferred that any confirmation message 
is also authenticated in a manner similar to a message transferred fix)m the station to the 
host. The modification means 132 performs the modification if the verification means 124 
has successfully verified an authenticated message received fi-om the station. Also, additional 
transaction and roll-back mechanisms as used for distributed databases may be used to ensure 

IS that the station 102 and the host 100 remain synchronised. The modification may take place 
in any suitable form. One way would be to combine a selection of other authentication items 
to one new authentication item and to replace an existing authentication item with the new 
item. Preferably, the modification means 130, 132 is operative to modify an authentication 
item at least partly based on an event independent of the authentication items. 

20 Advantageously, the modification is based on the content of one or more of the preceding 
messages. As an alternative or in combination, the modification may also be based on a time- 
stamp of one or more of the preceding messages. If a time-stamp is used, the time-stamp is 
also transfmred to the host 100. The host 100 and the station 102 may also share an 
algorithm for generating or collecting the same random data elements, where information 

25 exchanged between the station 102 and the host 100 determines which of the random data 
elements is used for generating the new authentication item. 

In a further embodiment, the station 102 comprises alteration means 134 
for altering the station identification after the authmticating means 116 has authenticated a 
message. The host 100 comprises alteration means 136 for altering the station identification 

30 for the station in the same way as the station after the verification means 124 has 
successfully verified a received authenticated message. Preferably, as described for 
generating the authentication control element, the altering is performed under control of a set 
of authentication items, which are independent of the altering algorithm. For instance, a 
selection of the authentication items may be *mixed-in' with the station identification to 
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obtain a new station idmtification. Preferably, a sqiarate set of authentication items is used 
for generating the station identifications. Similarly as described for the modification means 
130, the alteration means 134, 136 may alter the station identification at least partly based on 
a message and/or a time-stamp. This may, for instance, be achieved by modifying the set of 
authentication items used for generating the station identifications. The identification 
associated with the station may be a communication identification, such as a communication 
address or a tdephone number, which is also used for the communication hardware/software 
to transfer messages between the desired devices. Preferably, the identification is a higher 
level identification, which is independent of the communication idratification. An example of 
such a higher level identification is a bank account number. Both types of identification may 
also be used in combination. For such a combination, the communication identification may 
be kept the same whereas the higher level identification may be altered. If an identification, 
such as a virtual bank account number representing a real bank account number, is changed 
the underlying item (e.g. the real bank account number) is preferably kept the same, 
implying that in the host only the mapping of the representation (virtual number) to the actual 
underlying item is changed. Particularly, if the station interfaces to the user using the real 
underlying item, also the mapping in the station is updated. In some systems it may not be 
required that the station is aware of the real underlying item. It will be appreciated that a 
station (and as a consequmce also the host) may have several different identifications, e.g. 
several bank account numbers, associated with the station, where each identification 
corresponds to its own unique set of authentication items. In order to exchange messages 
with several hosts, preferably the station has several identifications (at least one for each 
host) with corresponding set of authentication items. 

In a further embodiment, the station 102 comprises data generation means 
138 for generating additional data. The authentication means 116 is operative to authenticate 
a message in dq)endmce on the additional data. The generated additional data is such that in 
practical circumstances with a high likelihood the additional data is different for each 
message. The additional data may be used in various ways. One way is to use the additional 
data in a manner 'invisible' to the outside world, exc&pt to the host 100. This can, for 
instance, be achieved, by first concatenating the original message and the additional data. 
Next, the authentication of the message with the additional data is determined, followed by 
removing the additional data before transferring the authenticated message (i.e. the original 
message plus the authentication for both the original message and the additional data) to the 
host 100. In this scenario, the host 100 also comprises data generation means 140 for 



wo 98/55930 PCT/IB98/00578 

15 

generadng additional data for a recdved authenticated message in a same maimer as the 
identified station. The verification means 124 is operative to verify the authenticity of the 
received authenticated message in dependence on the additional data. The verification may be 
done similar to the authentication by first adding the additional data before checking the 

S authentication. If the use of additional data is optional, it is preferred that the station 102 
informs the host 100 whether the option is used for a message or not This can be achieved 
by using an additional field, of for instance only one bit, in the message. 

As an altemative to using the 'invi:dble* additional data, the authentication 
means 116 may also incorporate the additional data into the message before authenticating the 

10 message. In this scenario the additional data is not removed from Ae message by the station 
102. The additional data may be simply concatraated to or may be mixed in with the original 
message. The verification means 124 verifies the authentication of the entire message 
(original message plus the additional data). For the purpose of verification, the entire 
message can be regarded as the message. After the verification, the additional data is 

15 removed and the original message is passed on for further processing. The removal may be 
straightforward, particularly if the additional data is simply concatenated. For a more 
complex mix operation, the host 100 may need to perform a same mixing operation as the 
station in order to be able to determine at which positions in the message the data elements 
of the additional data are located or an inverse mixing operation to be able to remove the 

20 additional data from the message. 

It will be appreciated that also a combination of using 'visible' and 
^invisible* additional data can be advantageously used. In such a combination, for instance, 
the station 102 and the host 100 share some information A. The station 102 generates an 
additional part B and uses both parts A and B to generate additional data. The authentication 

25 is based on the entire additional data. The station 102 transfers in combination with the 
message the ad(titional data as well as the additional part B to the host 100. The host 100 
generates in the same way the additional data using the received part B and the part A, which 
was already stored in the host 100. The host 100 checks whether the generated additional 
data matches the received additional data. If so, the authenticity of the data is checked 

30 further. Particularly if the additional data and the parts A and B are relatively small 

compared to the message, this provides an effective filter for the host 100 for fiaudulent 
messages without requiring a fiill verification of the entire message. 

In a further embodiment, the construction means 120 and 126 comprise at 
least one state variable which influences the construction of the authentication control 
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element. The construction means 120 and 126 update the state variable at least each time a 
message has been authenticated. The use of a state variable allows the construction means to 
autonomously select difformt parts of the authentication items for a large sequence of 
messages. The construction means may, for instance, be based on a (pseudo-)random 
S sequence generator, where the state variable corresponds to a feedback state of the generator. 
Preferably, any periodicity in the sequence is sufficiratly large in view of the application. 
For instance, the periodicity is larger than the expected number of messages authenticated by 
the station 102. The state variable may also be a pointer to an authratication item (in the set 
of authentication items), which has been last used for generating the authentication control 
10 element. If more than one authentication items is used for constructing the authentication 
control element, a separate state variable may be used for all of them. The construction 
means 120 and 126 construct the authentication control element under control of a control 
vector. The control vector may directly influence the operation of the construction means 
120, 126, or, alternatively, may influence the ouQ>ut of the construction means 120,126 in a 
IS different manner, for instance by XOR-ing the control vector over the basic output (e.g. 
random number) of the construction means 120,126. The control vector is derived from a 
selection of the authentication items, for instance by 'randomly' selecting an authentication 
item from a given set of authentication items and using the selected item as the control 
vector. Preferably a separate set of authentication items are used for forming the control 
20 vector. like described earlier, these authentication items may also be modified. 

Fig. 2 shows a flow-chart of a possible operation in the station 102. In 
step 200, the station collects information regarding the identification of the user of the 
station, such as a user name and password, or a fingerprint. In step 202 the idratification is 
checked. If not accepted, the previous stq>s are repeated one or more times, if required with 
25 a time delay and a limit on the number of retries. (Preferably, the station 102 reports a failed 
attempt when the legitimate owner successfully gains access). If accepted, in step 204 
information is collected from the user based on which a message is compiled. Next, in step 
206 it is checked whether additional data is required. If so, in step 208 the additional data is 
generated and added (for instance appended) in step 210 to the message. In step 212 it is 
30 checked whether the message needs to be scrambled. If so, the scrambling occurs in step 
213. The scrambling may be restricted to the original message generated at step 204 or may 
cover the entire message created at stq> 210. In step 214 the authentication for the message 
is generated and added to the message (e.g. appended) in step 216. In step 218 it is checked 
whether the option of dynamically changing the station identification is used. If so, in step 
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220 a new station identification is created. In both caseSt in step 222 the station identification 
is added (e.g. prefixed) to the message. In step 224, one or more of the authentication items 
are changed. Preferably, authentication items which have been involved in any of the 
preceding steps are modified. Finally, in step 226 the message is sent to the host 100. Steps 
may be added to ensure that the host 100 and the station 102 stay synchronised (i.e. that 
authentication items and shared state variables are updated synchronously). In the exceptional 
case that the synchronisation in updating the virtual number used as the station identification 
is lost between the host and the station, it may be required to re-synchronise to a new virtual 
number by once using the real number as an identification. It will be appreciated that a 
similar corresponding flow-chart can be used to describe the activities of the host 100. 

Fig. 3 shows a flow diagram of a basic operation which can be used in 
various steps of Hg. 2. The core operation is p^ormed in block 300, where a (pseudo- 
)random numb^ is gaierated. In block 302 a seed for the generator is selected fiom a first 
set of authentication items. A correlation which might occur in the sequence of generated 
numbers is brokm by u^g a feedbsick and combining in block 304 the feedback with at least 
one authentication item. The combination may simply be an XOR operation. The 
authentication item is selected in block 306 from a second set of authentication items. It will 
be appreciated that the combination may also be in the ouQ>ut path 308 of the generator 304 
instead of in the feedback path. The sets of authentication items may, for instance, consist of 
100 authentication items each. The actual number is preferably chosen to optimally suit the 
need of the application. The selection performed in blocks 302 and 306 may be 
straightforward, like each time selecting a next one of the authentication items. Using such a 
scheme, preferably the first authentication items have been changed, by the time all 
authentication items have been used. The basic operation of Fig. 3 may be used directly to 
generate the additional data of step 208 or the new station identification of step 220 in Fig. 
2. For the scrambling of step 214, the random numbers can be used as entries in a 
substitution matrix. For instance, assuming that the data elements of a message are bytes, a 
substitution table may be used with 256 entries each with a byte value, where each byte 
value specifies a substitution value for a data element with a value matching the entry 
number in the table. Alternatively, the substitution byte may be selected based on the 
position of the byte in the original message, if desired, in combination with the value of the 
byte in the original message. As an example, a pointer which Oogically) points to an element 
in the substitution matrix is loaded with an initial offset. This offset may be selected using 
the basic operation of Fig. 3. The value of the first byte of the message is combined with the 
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points value (e.g. added to it). The value of the element in the substitution matrix to which 
the pointer points at that moment is chosen as the substitution value. For the next byte of the 
message, similarly the value of the next byte of the message is combined with the then valid 
pointer value, etc.. The pointer may be one-dimensional, whrae the substitution matrix is 
S logically arranged as a sequence where eadi row follows the previous row to form a long 
row (alternatively the columns may be logically concatenated). Such arrangement usually 
matches the phy^cal arrangement for storing a matrix in a m^ory. Using a suitable modulo 
operation the pointer can be kept within the desired range of, in the example, 256 matrix 
elements. It will be appreciated that instead of a one dimensional pointer also a separate row 
10 and colunrn index may be used. Instead of using the pointer or index value directly for 

selecting the substitution element, the value may also be fed through a randomiser, such as a 
random sequence generator, whose ou^ut is used as a pointer into the substitution table. In 
these examples it is assumed that the output of the generation 300 is a byte value. If not, a 
conversion may be required. The random numbers may also be used to create a permutation 
15 matrix for permuting the positions of data elements in the message. The basic operation can 
also be used for changing an authentication item in stq) 224. Since the changing, preferably, 
also depends on an external event, additional information, such as a message, and/or a time- 
stamp and/or a message counts, is fed into the random number generator 300. The output of 
the generator 300 may directly replace a constituent element (e.g. a value) of an 
20 authentication item. 

For generating the authentication in step 214 of Fig. 2, a similar routine 
as described for the substitution may be used. In such a routine, in one round one data 
elemrat (one signature element) is selected from a matrix (or long row) with data elements. 
Preferably, the initial data elements of the matrix have been generated randomly, where the 
25 data elements are refreshed by using the output of basic operation of Fig. 3 as a new data 
element (preferably in combination with a historical influrace, such as the content of a 
previous message or a time-stamp, as described before). Alternatively, the output of the basic 
operation may be used to randomly shuffle the data elements of the matrix. A pointer which 
Oogically) points to an element in the matrix is loaded with an initial offset. This offset may 
30 be selected using the basic operation of Fig, 3, which is preferably used under control of 
different sets of authentication items as used for generating the elements of the matrix. The 
value of the first byte of the message is combined with the pointer value (e.g. added to it). 
Next, the value of the next byte of the message is combined with the then valid pointer 
value, etc.. When all bytes of the message have been processed, the value of the element in 
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the matrix to which the pointer points at that moment is chosen as the signature value. Tlie 
security can be improved by repeating the routine to generate further signature values. 
Preferably, for each successive round of generating a signature value a different initial offset 
value is chosen. Alternatively, a subsequent rounds continues using the last obtained pointer 
value of the previous as the starting value for the new round. 

It will be ^ypredated that, although the description focuses on the 
communication firom the station 102 to the host 100, the same audientication items can also 
be used for communication from the host 100 to the station 102. 
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CLAIMS 



1. An authentication system comprising at least one station and a host; 
the station comprising authentication means for, based upon an authentication 

algorithm, authenticating a message; and communication means for sending the authenticated 
message to the host; 

5 the host comprising commxmication means for receiving an authenticated 

message; and verification means for verifying the authenticity of the received message by 
checking the recdved message with an authentication algorithm corresponding to a station 
which sent the message; 
characterised in &at: 

10 the station comprises a memory for electronically storing a plurality of 

authentication items; 

the host comprises a memory for dectronically storing the authentication items 
of the station in association with an identification of the station; 

the station comprises constructing means for constructing for each message a 

15 corresponding authentication control element; the constructing means being operable to select 
for the message a part of the plurality of authentication items and to construct the 
authentication control element from the selected part, where the authentication control 
element in practical circumstances causes the authentication algorithm to substantially 
authenticate the corresponding message uniquely; and 

20 the host comprises constructing means for constructing for each received 

authaiticated message an authentication control element from the authentication items 
associated with a station which sent the message; the construction being the same as 
performed by the associated station. 

2. ' A system as claimed in claim 1, characterised in that the station comprises 
25 a further memory for electronically storing an identification uniquely identifying the station 

with respect to the host; the authentication means is operative to authenticate the message in 
dependence on the identification; and the verification means is operative to verify the 
authenticity of the recdved message in dependence on an identification of the station which 
sent the message. 
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3. A system as claimed in claim 1, characterised in that the authentication 
items axe unique for the station; the station comprises a further memory for electronically 
storing an identification uniquely identifying the station with respect to the host; the 
communication means of the station being operative to send the identification to the host in 

S association with an authenticated message; and the host comprises means for locating the 
authentication items of a station in dependence on an identification recdved in association 
with an authenticated message. 

4. A system as claimed in claim 1, characterised in that the station comprises 
modification means for modifying at least one of the authentication items after the 

10 authenticating means has authenticated a message and in that the host comprises modification 
means for modifying at least one of the authentication items for the station in the same way 
as the station after the verification means has successfully verified an authenticated message 
received from the station. 

5. A system as claimed in claim 4, characterised in that the modification 
15 means is operative to modify an authentication item at least partly based on an event 

indqpendent of the authentication items. 

6. A system as claimed in claim 2 or 3, characterised in that the station 
comprises alteration means for altering the identification associated with the station after the 
authenticating means has authenticated a message and in that the host comprises alteration 

20 means for altering the identification associated with the station in the same way as the station 
after the verification means has successfully verified a received authenticated message. 

7. A system as claimed in claim 1, characterised in that the authentication 
means comprises data generation means for generating additional data and in that the 
authentication means is operative to authenticate a message in dependence on the additional 

25 data; the additional data in practical circumstances with a high likelihood being different for 
each message. 

8. A system as claimed in claim 7, characterised in that the verification 
means comprises data generation means for generating additional data for a received 
authenticated message in a same manner as the identified station and in that the verification 

30 means is operative to verify the authenticity of the received authenticated message in 
dependence on the additional data. 

9. A system as claimed in claim 7, characterised in that the authentication 
means is operative to incorporate the additional data into the message before authenticating 
the message; and in that the verification means is operative to remove the additional data 
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from a received authenticated message after having successfully verified the authentication of 
the message^ 

10« A system as claimed in claim 1, characterised in that: 

the construction means comprises at least one state variable influencing the 

construction of the authentication control element; 

the construction means is operative to update the state variable at least each 

time a message has been authenticated; and to construct the authentication control element 

under control of a control vector derived from a selection of the authentication items. 
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